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Introduction , .^^ nctwofU^, adminisirators are 

. to attacks and potcnual attack, ag^^n^. ^"^-'^ Jf^ j^ms c^nUor bo^iU. 

hcurisric techniques l^ave been us 

The present developmem expa""^ ^,^„f^nt ihat oriorinies alerts. ^ '^<^ *^«'»» 

of . deploynnent. .nd imroduces ' -"^^^^.^^^^ in me form ot B.yes 

on .«5taiisucal similarity .Ticasurc. aad probab.u 

ncTworks. o-nt-ral represent a minority o*" 

rXeJ/mevhodcloe;... employed to^^^^^^^^^^^^ 

evolving systems for corrclatmg '^"^ PJ ""^'^^J'^ 'V probability distribution of 
a probabilistic system needs to ^P«;JyJ^^^;;^;^!^l^g. Thi. is extremely diffcuU 
Observable allrlbutes aad concsjJOt^.ag pr orr^ . t th« 

axn^alve relative to sign^tur. system. ^^^.^^ 
TWe re™.nder .f thi. paper is organized as foUow. ^^^^^^^^^^^ -^^f 
in ptx^b^bilistic alert correlation \1 1 We *en ^^^j,^ ^eSuH is lO duphc^lC 

sensor Correlation and Aleit Fusion 

o... View, sensor corccUUon con.i.s ^^^^^^^^^^^^ 
increasing difHcaUy. At the f.rst, ^^6-.-^ I'ageable rumb.r of aler. .x^ports. 

(TCP ccmncaions. audit records. a»d so '"^^ ^^^^^^^^^^ ^^c ne.t level, it may be 
Vh. Kch.cved by tbe EMERALD ^'^^J ^^^"^^^^^^^^^ an. .UJusc it. own 

des.r.ble f.r «.m. seasor lo be ^^^^ ^ ^^^^ heterogeneous sensors, as 
state accordingly. H-mally. we -'^"'^ .'f ^^^^^^^ ^j,,, i.celli-cnrty denved meta 

well «uxilifti7 in^orm«UO.^. r'rovtde .in operatOl wivu 
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Atert Threads ^Wcb is cocppatiblc with 

evolving siandards for alert coni^nt f ^^^^J"^^^ j^^^es in ihc attack confidence 
bJcd oa transitions u, u.o^ scHou. ^^f ^'^^f t.. «moa5 Other fa«o,-s. For _ 

comprehending Multiple Sensors eBayes-TCP. 

The system we iufonu^Hy ..fc. ^/^ ^i^:^^^^ monltL valid ho.^ 

wUich momtors TCP '''''<''''^;''^,^'^^^^ that the former qacnes the 

and services within prct.c«d -^7;^;7*2l'.!,'';i J^^^^^ is mattiemuucan, 

state of Che latter, and adjusts accordrng y. ^^^'^^^^ ^^^i of their world and 

straightfonvard in Bayc« formalist..., jh.ch ^ n , ,,,,ved) 

;;c ronrr^^bi: ^y^^^s— ^^^^^^^ p-^--^ — 



the Of o.e sensor .ch.cv... p _ ^ ^ 

parliCuUr fwiarcs. ^"^^^ J'^,^^ „„dcr attack. When tb^ attacker ^^^^^^ 

'dicat. accessing f "^^^ ^J^^" s.adenly aPP^^ fni^" l^gi 

denial Of servK-e CD'^^J' ^J^^f^^^ do no. r.ise nlens some fcau»cs 

,m ^ould normally be '"^'^^^^f^^.^ evidence mast nnw '^oj^^^'^^^erts for the 
^U.e .tens f^-J^-: 1^^^^^^^^ .ucU .ight cause of alerts 

Wiinovii thi5 ^'^Pf •/,^"7^.^e term ''collateral daniase )• the avvack^r. 

service I. iu « degraded Stat.. comprehends the state of anod;er 

Mete Alerts and the Wert Template , ,h 

Includes the concept ot aien iiircau ..^,r-,-a»v'' fic d m addition ^0 tnc ^ 

r^ntgcment component.. We ^^'f^'^'^..^'^^^^^ condition the reports of .ome 

ncli tocribing the scsor type allti pU«nvM,t. ^ ^^^^ 

.H. ..p.. . p«.ntw .se. ' ^'-*„f.trrz'x:^~ - 

probubUistic techmques. Our eurly cxpuimeat. 



A f \ tft corrdflfen Rrgirtes than is 

Ante^ni ctuvt wi»l be. i«ore useful W corr« 
to fill Ibis ccmplaccwl^ntcmch. ^ 

currcinly available. commonality, f^'^^"^^ '''Jl' 1"^ 

a,,d si^^-^-'^-^P^^'^'lf.f^S alerts, potentially ^^^l^^^^^^U^r.^ tbcy h»vc 

possibly '•^"^P^^t °S a m-^ta alen). we begin '^^^"'^yg"^(i.os« P°^^' 
alerts Ctypi"^^ source of the ^^J,, Kave . 

common Such fe^tv .^^^^^ so f^^*^^ i corrcspotvdms to a 

the lyp^ of the a«'»<-^« ^ ^ui^bc, between 0 and 1 . wan 

oo. ob««rvcd vuw«. oowailKd I" -IK "f^'^-rt probe)? 
, ,t ^„ .n„r« addresses are diffcr^nv « Aej t'^y ^ ^^^^ 

if the -«<ource docs not match (cxp^aaiioa normalized by 

We U.ea compose overall .Ic. ^'^^^.T' 
expectation of simnariiy. The appro;»ch ^"^^"^ J ,,cterogenccus sensors. The new 
overlap, and is thus w.lt s.ited for use ^^^^ -^^^ ^^^narity is good euough- If 
Ut^is'fused.i.hrhem«a^^^^^^^^^^ 

no existing meta alerts are a .^^^.^ so ihai the new meta alett is a 

.Urt thread Fusion cons.Sts of comb.mng teaw^^^^^ 

sui«tsc.of the p«viou. meta ;dert and h. "^^ "^^J^^, funcuonality includes trim 
comprehending "Hit counts" to ^J^f 'Selmi^l lecails of our similarity 
funcUon." W prevent ^r^^^pf }^.^^^^^ -Vventn the ic^lIli-L^^'^. ^^'^f^ 
functions and c.pectat.on of simvlan .re give^ ^^^^^^^.^^ 

following subsections give nnorc deta.l oa ,,^posing met. 

The met. alert itseU supports the chre^dln, coacc,. so wc ca. 
alerts from meta alcrlS. 

Feature fusion . ^^ross common 

Wl.n .y«eo, ...a., ... rwo alcrJS^ ^-f, ^^^^^^^^^ Z S.^^S^^e 

f«.ares. the fused feature set ts a ^."Pf^^^^^JJ^^:^:* nvolvcs list merging, l^or 
values in fused alerts are typ.cally l.si>. so alett tUMon 



f 1 p^^B^ network 

well an associated hU coiim. J o ^^.^ ^^^^^^ 

Tbat trims 1>SI cl«uenxs v.,ih c^tr^rncy ijenufiett of all the 

«nupo»c«al««. There is potec.i«l foi ^^^^ubit foe 

up(i«8t of or oUierwlse related to one or 

alert similarity. HiFfertiit hosts, we do not 

„ ^cn -ceivcd „po«. f-oj, Ho~„°^f r c a,.w=rW sensor 

txwa ae vats« host f«i>-»"» '» " " „ received, the cupectsuor of 

.imllarily is «.« •»« <«R« """^ °' . . . a„ „„i sniBe of an attack for 

TO cousider .he^er an '^V^^T:;^:^^Zt^.pm%' '"^ 

whldi a probe was observed. ^^^^JJ ^'''lisj yf u,c .new alcix. 

potT) to be corvt^ined the target host and port ^^^^^^^ 

we declare tb. attacK code f i^-J -Sil^r^^"^^ 
class in general. For example m our *f "•^''^^ attack class -poaswerp . 

mscan that probes ccnain scrsmve pons, tha « "JJ^^^ ^„ -.nscan" TIk Bay« 
Our ho.t .casor* h«ve . specific Signature .f.^^^^^^^ "mt>can^' ".odel, but 
.ensor trade. spccHcUy for ^^^-^'^^^^^^^^^^^ r..atche3 io the target 

successfully detects Uiis attack as . P^^^'^J^j 

host a.d pott Ust. tt^e.. wo... uc con.de.a s ^^^^^^ ^^^^ 

, we have observed a probe, ^^^^f ^ /^^^^ Jgcc host at^d 

respcM to otlicr features as well. i„ oa'^e o* an 

Dedding Whether the attaCer is --""'-^"-^Sri^rriSnti ,f the »»h"et 
exact match of address. similaHty ik perfect. We assign M." 



attacker compromises a bosi w tmn o ^^^^^gj ^t^ere me au , 

;o«s for the mci. ^crx in <5;^-";;;^^^^^^^^^^^ u« Neptune attack). suT..lamy .'^P-^* 
address is likely to be spoofed (for^^^^^^^^ 

wi.h respect lo aoackcr .5 «si„ne ' 

, .-.s ea..o. U . Po^^--^^^^^^^^ .Xne, .d t.en us., that 

The priority Ranking Model ^^^^ ^^^^ 

acimlnt.tralor concencratc o» ^^"^ ^^f^ for several key attributes. Our 

CO assign a priority ranking to alerts th« pr 

;i$si&ncd. r;!.^ t^c to the relative importaace of 

Incorporation of a,c ,d-i»isa,u>r', prrfero.>c. profile »s .0 <hc re. 

observed "»lu« (s»cl> « Wl^' ..... alelV in guieral, »n 

Jen ,r,.y no, report all possible »ttnbutes ,rt„„„f.„c* attribiite 

Abili,, to update the pdoritizatio- b.sed on observatr.n of . ne 
U,.„.ibili,y of.be mo.e, Co cc„>p^c„d .^botes tba.n-ay be«n.ed 
w„hmtai.nalpemrbationto<hcr«tofthe,r»<l=l i, . priority 

Compuutioruaiy, oar appro»=<. desist. . "i-t inflwt.ce of »n 

generally agixc wi.h ^'^^'V-^S-'^.'^f^t" to exatume e.ch alen . 

^alistic environment With muU.ple IDS make. « ^^^n eLrtise does not at present cxvst 
detail, second, rUe depth °" Jf^^^^ number of aJcn. 

in most enterprise r^otworks. Our goa .s ° '^^^^^J^ ^^"^^^^^ fg,.c. The analogy to 
and produce a priority racking w.tl^ which a domau, expert - ^^i,,;^^,. We 

have taken the approach of attempting to define »c^^^ 
Lozmsc We recognize that representation of aitnbutv, f c^u • 

;S liti« ^ep^seV. an abstraction m.. the expect s 
we use this initial repi-esentarion as a start.ng po.nt. and piov.de 
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.uble. o% TciStaow^cdge of B.y« sy. ^^^^^ 

W -medium" and -hi&h' )- a c linked to th. rod 'ocrcspondi^ 

cffecuvcly "pass ^^^^^J^^e reader will recall ihat this ^'f ^ 

h.vc two main ^'^^.'^^'^^JJ^^^^^^ hraac^ connecu; to a node 
3nrihatcs oil the pn«ruy . w^tle o ^^^^ ^ g^^) ^^^^ ^^^^^^ 
aflueoce of asset .^'^fcLsijecific attributes to the P '^"'y-J^^ ih.t may 

expressing th<^ rclaoonsb-p of ^^^^^^^^^ rcpreseniing criticaUty of asset 

(»od« B in the figure) ^^^^ attribute groupings in 

touched by un ^^^^^^^ to .he ^^f^^:^:^:^',.^ th«.u,h" 
the root allows for ^"bjcct ve wci .s .ch.c oy 

simplicity and efticacy. 




Attack Class 
Subtree 



Asset CriticaUty 

Subtree 




BgurcZ: Model for Alerx Prior 

Att^cK Class Axtnbote. ^ ^-^^^^^'rzi:::^^^ 

M pi^seni. auacW cla.. ^^^j^J^J^;: ^.^.^of concern P-"^\S[jf J° ^^fsu^^^ 

dies. TUi. U a ^<>-^''^':^^';^^^^^ of low co«ce^^. ^'^^^^J . probabvUvy 

configure our sys:cm so mat pro^ ^ 'ten rbeir mass to one 

unauthorized ^^^^^V""^ fj^^^^, capabU of a single call assign a -^^ 

mass over cUc .tt,ck f ^X^tcd based bovb on^he sen or S con 

attack class, -niii « P°''""f .S?iS«oi^ engine's confidence m the senso^^^^^^^ 

fl^sset CrlttcaUty Attributes .^^.,y. Our imtial 

T iciCforc. tor any or vnv* .u- anribute was observca anw Ki»<e^d on a 

valua: the atiribme «.as not o'^^'^^*f/;^*"riI^al Critk^lity .if «n asset IS b^^^^^" 
critical, arvd the anribate was observed mt.cal. ^ ^^^^^^ change. 

connguraiioti file U^at refiecis ^^''"^ ^f. ^'^^'^^^^ cPTs reflect . . . ^ 

Che sTcuriry poncy. The clement of "-^^P^^^^^^^ .^ntS tWO v^u« ot cnuca^^ 
r(c-.W/^y - ^P---'^ - P)- ' ^ ' rZ-ledce base consists of a set of CPTs 
by .i.^ vala^ of priority. Therefore. l^'^^^^^^t rb'^ nch. If tbe attribute iS not 
UnkmTtHc attribute to el.e -PP-P"f ..^.^J^ ^^J^X ao^^^^^ changed, and thu, b. 
Observed in a given alert. Utc S.atc o the ^^«^^^P^"^ K this attribute is observed ^n 
anribute do« not influence th. result one ^^y^^'j'^l.^,^ p,^vious pnoritization for 
a .ub>cque^t update for the same alen. our system .jjUS ■ P ^^^rfb^ieS, and 

acw inforaU- ^^^^ ^^^^^^^^^^ all Key desirable fea.u..s 




Figure 3: Ass«iCrUicalUy Subtree 

Pass-Through NQd6s ,«„„thP influence of <fiff«««^ 
Hod.. A .nd B .re the roocs of <if "^^^ ^^^^^^^^^^^^ - serving . "P- 

g^aps of attributes on the desired 'J^^^^,",^^^^^^^ If the cn's rcUdng the.. 
S?c«gh" funcuon. propagating the subtree r^^^^^^"^^^ from the le.v^ uade 

maior branch nodes to the root ant identity matrices, me ^ aiaeoaal etfect, velj 



..r,ted. the system behaves as rf the ^^^^^^^^^'^^^^^ learning threshold) enmes 

(priority assignment) "wins" (P^.^^'^J^^.^^^'^^f oSation (which are really the 
Z *e CPT .1 .Hjiisted slight y the ^'^f °^ w.nnins hypotheses 

liktUhood n.css«gc. at th= kai nodes) T''^^;^^ ^^^^^^^ ,he current observation, 

aged (multipUcd by a decay factor) and ''^"'^^'^^"^.^^J^^^^^ observed 
The effective couac. for oth«r Uypothe.e.. ^f^" ^^^^^^^ oa U.. cff-uvc 

hypotheses approach a saturation count. -^^^L^^^^^jf^^tu Conversely, a very nvrdy 
count. a.w ot,s.rvations perturt ^^^^^ Xsl^lSorvs. as its effective count 

observed hypothouts adapr. mon. ^^'^ "^^.^"f valt^es- Th.s can be thought 

decays to a lower value and thus assJgm lei.s wcigni ra p 
of as hypotltesis-spccific annealing. 
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Live Data . ^ .,„„;.,st our inlcmal t\6t^or>^ ^^^'^^ 

. 193.230.37.2 por« 

oortsve.p l-O^O 2000.oe-XO C..^0:2B from 

HeS To ?2<3, dt= 0^321 .^^^ 3,., ,n«.x-ecr 3.83 

count 164 max age count o.i S L 

aaa.bbb.16.1 aaa.bbb.17.1 "^•^""•j; ^ aaa.bbb.24.l ^^-^Mn i 

"soo, uo,», j«><». »j<jj> "<^,!>.r'"o!... 

851 O.OOll 0.0»» 004 0.002 «.00» ,„„ 

°iroo. ° °°°o..oJ-"%.ooS-'"o.- 
...n 0.000 o..,« 

fl 990528 o<s<ifi anoft 0. 98701 B 
Hon-sys alloc por^* « ^^r '-xtTrs wetal 24 count 0 

invalid hOflts 30 invaUd ports 6 fevat 

,0.0 00 10 oe.so,28 .*..bhh.l.l to aaa.bbD.ai.l portowocp 

1.000 

SU.na.. actacs v.UW .ffe.n. ...ec IP ^^^^^^^^ ^^^'^ '''' '""^ 

alen fusion udlity prodvctd chc followmg meva alca, 

Mftt.a alert threacj ;i2 

source IPS 193.230.37.2 ^ ^ 

aaa-bbb.7aaaa.bbb 8 1 ^^-f i,*^ aa^.bbb. J.5 . 1 aaa.bbb.U-l 

aaa.bbb.i2-l ^^^-^J^"^' bbb.19.1 aaa.bbb-20-1 aaa.\ 

aaa.bbb.n.X aaa.bbb.lfi.l aaa.oDD.J.? 



aaa.bbb.26. ^'^^'^^^•f.i a:.-bbb-3-2 a^^'^^^^'z ata-bbb.10.2 asa^bbX 

„.11.2 ^^^-bbtt-i^:^.^*! J „A.bbb.l9.2 aaa.bbb.20.2 
aae.bbb.l^-Z ^aa-bbb-ie.J * 

index 635 Prob J^^^/.f^^ 

ladex 109 ^rob 0.1..''80<J ^^^^^ ^^57, 

— r3r»;tr./.":«M'ii ^ ]^ 

ir.ll ini'o 111" ivU. 17,07 iS2» 

services over me ln«ni«. 1''°''"' *<^°1 Tw» m.=hi<<« 

who executes cerr^m wcU-taiowo attacks. 

The atuck bc,i.s with an .nscan probe to ti. ll-^^::;^^:Zl code for mscn 
Signature-based sensors on the two mac^h.ncs "^^^^^^'^ ^ic class 

i„ Uneir alert rcpo-. The' B,.ycs network ^"^7; ' ^•^^.f'^^^^^.he allackcr address. 
>ort.swocp" The target pon lists for Ui«e ^ -^^^ rn^^dl. a. ^oe^^^^ 
^...n/wuh respect. jve^r^ 

arrive (Ihc order at which the amvc u n ^^^^^ 



Baycsprioriti7AUor» component at Q.b oassvvord fUc from the Web se.ver. 

TW. niv^cWer next usj. "^^^ The fusion engine ^onSid^S 

This \s detected by the host sensor. ^^j, ihc tact v 

All *«c actions sr. ^t,t^^,Vifl. (.«cnti:aiy 1 -OV . 

il followed, would swp the above ntt..ck P c 

Summary . the oroblem of alert 

« intrusion d.<ecio. sy«cms arc ^W.u»= . ^aJifi^l domai" 

maMEemem assumes paramouw .mporance. „c«woiks by present 

™ Se tc «amM= all aletts p«<luced o. ^'^f ^^f^itead We have propo«6 . 
IDSS, a-a at a..y r.te sach <lon,Mn ^^J^™^' ''^™'J„,, „„«ly, alett co.rel>t.o» '"d 
»y«cm that addresses tvo «pe«s « alert ""J'^" ;ems gives an alteraauve ixi 

cot.pl«ne« to the heunsttc toch».<,t».< more eotn y 

We have adapted and «teaded "-"■J^jJ'^lltf g"nS f"^- 

componeni alcrLs, rth5ervubles arc the 

Ou. appcoacn . p.o.U..Uo. U — ^ ^^^^^^^^^^^^ ^.'^ - 
allributcs potenvkUy rcpo.ted lor an "/f^'^J;,^^^^^^^ probability relal.o.vs 
knowledge base is compactly rcpresen.ed as local ^"''^'"^ * the output 

t«wccnT«.rnber. of attn.at. group, and b^^^^ 

priority. The system has an ^^^P^^*^^ ^^P^^^'^ "^^^ This trmftlng facility c«n be 
cy«iem'. "caU" for randomly generated Alert exemplars. 
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»c A Whole o.' for portions or me 
invoked far t^^y^^^-^^^^^^^ as Bayc. subtree., 
attribute groupings, represenl^cl as 
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SimUarlty Expectation 

new ai^i'^T ^ 

U ,he value of that fe^ure in an ^^^^^^^ ^ _ , ,d 

fcavurc. ilvai nave a ^'-jf ^^^^^^^ values are eqoal- TU^t ..v 
<jefincd to be similar ifth^'i leamn; 



l.O.X 



S/MlX.y) = |o,m/i.n./.vv ^^^^^j^^ ^ li,, of observed 

TUc .0. ,c.«. c.e -.3 one^ ^^^r"-- 1^ - ^^^^^^^^^^^^ 
values, aud a -hit coupv* f Jj^^^^^^^^^ A 
reasons of nom^aUiauon, th. ha « ' ^ ^ possibly of differeni ic», 

S Y .ce ll.cs iCo--^ ^'^^ 

probahlliiy vector descnbes a piCcer 

p^.^C) - probabiU^ of category C m hsi X 

„ rc^ - nrobabUiiy of cat^gnrv ^ ia list Y 

c&^oc&_ -J— 



If ,he two lists are same leitgrl) th.a Uu. Tno^L^^d by. say the 

Lteen the two. This an '^'^^/^^.^^J^^^^^^ If the patterns (1 . 0), 

dot product as -.s coxx^moaly used m ^7/"^^^^f^,^,°wo categories, then 
(0, i ). and (0.5, 0.S) are understood 10 be over the 

S,m({l.O}.(0.in = 0 

5.4(0.5,0.5}.(0,l}) = S.m({0.5.0.5MUO}).0.5 , . . .erween. 

. L wor.S, tnc firsc t.. p.uc.. arc o.ho.on.. anU c... ..u.d . h.lf way 

l...y _ Of this 

applicati«ns. For our purpo.«. wc mu.v exi ^j^^^^ want to conslrfe. an 



#1 bl^K^i^^ ^^^^^ 

target tiosU. -'^^^P^^'^'^^'/J^on as an aUack orign-vor. 
candidate for similarity cvaiuiu 

Expectation of Simttarlty ejcpeciation of whicl^ 

n„od is . type of ««cK ,n -^'^f^ '^Z^, ^ „„,w.n=d 

sirailirity i n llie source IP 0<1'>'^'' " , flooJ snack and an CMsang aier 

between a new alen >ns|e-<l t-X » " , i„dicatmg 

e,peccat,on of .n.,a.ty ^^^^^^^ ^ 

«are Tliis tabic may be mmally popuiaiRrt ^ ' coo^protnised lioi>t onu 

attacker. . Hi/namicaUVgCt»c»»^^^^^ : 

Based on Che .Icrtstate. ihcsimllarily --^"I'^^^X^^^^^^ ' 
^Sghttd .um or ti.e elements or a.^..c.^t^^ ^^.stical .ease 

Ccv'Otving) alcrx st«e disuibuuon. TluS IS '^^^JJ ^^^^^^^^^ -,5 general enough 10 cove th^ 

rtLtion of an unambiguous call ^^-^1^;^'^^^ 0 elsewhere. Algebraically, for 

over staves is 1 .0 ^^ it^c suic covxcspond-ng co .he call ano 



a fedwrc J 

'2BEUi)Bj{i) 
= expected similarity for foamrci, given present state 



BELU) ^belief that U^e auack swlc is presently «' 

1 .,.™.n. of *e ,oo.u. »b,e of expected si^Harity for n.c.u« . gtven st^^^ 

Both U,c .=w ,>en and tuc a.en e..ss to ;-;;;j;;t:^rdT^,:^ Z^-' - 
.CmU»ri<y e,t«c,ation for each f'»"''« ."^^ ^tv W.' i= ■=^""""'"8 „ 

then comblu^O lo form . ^.neU over the set of coromoo 

f„mre simLlanties and nott^cMS by sumlanty expectation, 



A-n 



X stvew aiart 
J indexes features 



J indexes teaiureb vrvn 
HjO') ^ ,i^u.rit). expec^uon for tea.... «t . C • ^^^^^ 

h« fomW by taking products ^a^^^f^ o^g^iy influenced by « 
A .IttvUu. drfinition «.n be J,oine .dv.ntacCS. but can bc over y 

taking the geomemc mean, i ho n 

single cxiren^^Jy small value. 
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G\obal changes: 



in 



port scan 
net 

subnci 
ipiemci 



to 



to 



itiultiscnsoi 

network 
5;ubnetwork 
Intemev 

Be consist.: th.e^ identifier or ^^^^"^ ^^^^^,,,,_.on.ys.. .ndu..^c^^- 
^ t,.. establish IDS as an abbrev.uon tor muu. 
:j.U-i-Mth..u^ouUHep^..^^^^^^^^^^ ^^^^^^^^^^ 

o TCP and CPTarenot confused. anddefmeCPl a .erb: "sev is" 

Be sure tK.t TCP and c ,f cPlV"? Noxe lhat set needs a smgul^ 

Check "set of OPT- -should n be -^^^^^^^ but 'ti.«e CPTs are" 
Mocc that OPT need, a singular verb. HhcCl'l 

Run speli check. 



